ScreenOS Firewalls (NOT SRX)
Reply
Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Untrust connectivity ceases after 30 - 45 minutes on SSG-140

First prize to anyone who can give any advice in this problem.

 

I have a typical Untrust/DMZ/Trust network setup, currently using two Netscreen  50s. Last night, we attempted to replace them with two SSG-140s.

 

Everything went perfectly until about 30 minutes after cutting the SSG-140s in. At that point, all traffic to and from the Untrust zone ceased. There were no alarms, failover events or problems reported on any of our switches or routers.

 

A reboot returned the firewalls to service, but the same problem occured again in a near-identical time span. As a result, we rolled back.

 

Has anyone seen a similar problem to this in the past?

Contributor
alan
Posts: 96
Registered: ‎11-20-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

ScreenOS 6.0R5?
Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

Yes - ScreenOS 6.0.0r5.
Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

[ Edited ]

i got similar problem with screenOS 5.4.r8 on SSG140. There was a software bug in the networks driver of the SSG140.

The issue was solved with the 5.0.r10.

 

Do you see some dumps files with the get file command ? If yes open a case and try a downgrade with 5.4.r10.

Message Edited by sylvain on 05-29-2008 06:21 PM
Contributor
alan
Posts: 96
Registered: ‎11-20-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

[ Edited ]

There's a known bug in 6.0R5 with lockups on SSG5/SSG20 though this is the first I've heard on an SSG-140

 

Here's the thread...

 

http://www.juniperforum.com/index.php/topic,6478.0.html

 

Message Edited by alan on 05-29-2008 08:41 PM
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

I just checked, and we have had reports on the SSG-5, SSG-20, and SSG-140.

 

Refer to this posting for the work-around:

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=1103

 

Kind regards,

Josine 

Contributor
alan
Posts: 96
Registered: ‎11-20-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

So what's First Prize? :smileyhappy:
Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

What are the duplex settings on the interfaces?  Are they auto-auto, 100/full-100/full, or is one side auto, the other side hard-coded?  Try matching the duplex settings on all interface matchings to the switch, and see if the problem disappears.
Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

We'd love to use a work-around here, but we can't.


We use the redundant interfaces feature of the SSG-140, and there's no way of altering physical properties for the redundant interface itself or its member interfaces.

 

Contributor
alan
Posts: 96
Registered: ‎11-20-2007
0

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

I also cannot hard-code - the interface goes to a metro-ethernet from the ISP.

 

There is fixed code available from JTAC.

 

I cannot believe Juniper doesn't make this readily available as well as publishing this showstopper bug. 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.